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1. INTRODUCTION 


Cederberg Municipality has undertaken to embed a culture of Enterprise Risk Management (ERM) 
within the municipality and to identify, assess, manage, monitor and report risks to ensure the 
achievement of objectives as identified in the 1DP. 

2, PURPOSE OF DOCUMENT 

The purpose of the risk management strategy is to take what is in the risk management policy and 
apply it in strategy. This strategy sets out all risk management activities planned for the 2016-17 
financial year. This document also provides insight as to how the municipality will implement risk 
management going forward. 

3. ROLES AND RESPONSIBILITIES 


The roies and responsibilities of the role players in the risk management process are as follows: 

3.1, Risk Management Oversight 

3.1.1. Council 

Council is responsible for the governance of risk. Council takes an interest in risk management to the 
extent necessary to obtain comfort that properly established and functioning systems of risk 
management are in place to protect Cederberg Municipality against significant risks. 

Council has to report to the community, on the municipality's system of internal control. This provides 
comfort that the municipality is protected against significant risks to ensure the achievement of 
objectives as detailed in the Service Delivery and Budget Implementation Plan (SDBIP). 


Council must perform the following tasks, to fulfil its mandate with regard to ERM. 


Ref: 



01 

Understand, determine and approve the risk appetite with guidance from 
the CRO and the RMC. 

Annually 

02 

Ensure that frameworks and methodologies are developed and 
implemented. 

Annually 

03 

Ensure that IT, Fraud & Corruption and Occupational Health and Safety 
(OHS) risks are considered as part of the municipality’s risk 
management activities. 

Annually 

04 

Ensure that risk assessments (strategic and operational) are performed 
by reviewing the RMC reports. 

Annually 

05 

Ensure that assurance regarding the effectiveness of the ERM process 
is received from the MM, RMC and the Audit Committee 

Annually 
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06 

Disclose how they have satisfied themself that risk assessments, 
responses and interventions are effective as well as undue, unexpected 
or unusual risks and any material losses (the annual report to include a 
risk disclosure). 

Annually 

07 

Ensure that management implements, monitors and evaluates 
performance through the RMC reports. 

Annually 


3.1.2. Audit Committee (AC) 


The AC is an independent committee, responsible to oversee the municipality's control, governance 
and risk management. This committee is vital to, among other things, ensure that financial, IT and 
fraud risk related to financial reporting are identified and managed. 

The ACs primary responsibility is providing an independent and objective view of the effectiveness of 
the municipality's risk management process to council and to provide recommendations to the MM for 
continuous improvement and management of risks. The responsibilities of the AC with regard to risk 
management are formaily defined in its charter. 


The Audit Committee must perform the following tasks, to fulfil its mandate with regard to ERM. 


IllllllliSIl 


ililiPijjjijjl 

08 

Formally define its responsibility with respect to risk management in its 
charter. 

Annually 

09 

Ensure that combined assurance is given to address all the significant 
risks facing the municipality. 

Annually 

10 

Advise council on risk management. (This will be dearly defined in the 
charter) 

Annually 

11 

Review the internal and external audit plans and ensure that these plans 
address the risk areas of the municipality. 

Annually 

12 

Review and recommend disclosures on matters of risk and risk 
management in the Annual Financial Statements (AFS). 

Annually 

13 

include statements regarding risk management performance in the annua! 
report to stakeholders. 

Annually 

14 

Evaluate the effectiveness of Internal Audit in its responsibilities for risk 
management. 

Annually 

15 

Provide regular feedback to the MM on the adequacy and effectiveness of 
risk management in the municipality. 

Quarterly 

16 

Ensure that internal and external audit plans are aligned to the risk profile 
of the municipality. 

Annually 

17 

Ensure that all risk including, IT, fraud & corruption and OHS risks have 
been properly addressed. 

Quarterly 

18 

Provide an independent and objective view of the municipality’s risk 
management effectiveness. 

Annually 
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3.1.3. Risk Management Committee (RMC) 


The committee’s role is to review the risk management progress and maturity of the municipality, the 
effectiveness of risk management activities, the key risks facing the municipality and the responses to 
address these key risks. 


The RMC must perform the following tasks, to fulfil its mandate with regard to ERM. 


Bllif 

iflciWity 

Freaiioncv 

19 

Formally define its roles and responsibilities with respect to risk 
management in its charter. 

Annually 

20 

Review and recommend approval of the Risk Management Policy to the 
MM. 

Annually 

21 

Review and recommend approval of the Risk Management Strategy to the 
MM. 

Annually 

22 

Provide guidance to the MM, CRO and other relevant risk management 
stakeholders on how to manage risks to an acceptable level. 

Quarterly 

23 

Provide timely and useful reports to the MM on the state of ERM, together 
with recommendations. 

Quarterly 

24 

Share risk information with the Audit Committee. 

Quarterly 

25 

Evaluate the extent and effectiveness of integration of ERM within the 
municipality. 

Quarterly 

26 

Assess implementation of the Risk Management Policy and Strategy. 

Quarterly 

27 

Review material findings and recommendations by assurance providers 
on the system of risk management and monitor implementation of such 
recommendations. 

Quarterly 

28 

Develop KPIs for the MMs approval. 

Annually 

29 

Measure and understand the municipality’s overall exposure to fraud and 

corruption and ensure that proper processes are in place to prevent these 

risks from materialising. 

Quarterly 

■ 

Measure and understand the municipality’s overall exposure to IT and 
ensure that proper processes are in place to prevent these risks from 
materialising. 

Quarterly 

31 

Measure and understand the municipality's overall exposure to 

Occupational Health & Safety (OH&S) and ensure that proper processes 
are in place to prevent these risks from materialising. 

Quarterly 
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3,2. Risk Management Implemented 
3,2.1. Municipal Manager 

The MM is ultimately responsible for risk management within the municipality. This includes ensuring 
that the responsibility for risk management vests at ail levels of management The MM sets the tone at 
the top by promoting accountability, integrity and other factors that will create a positive control 
environment. 


The MM must perform the following tasks, to fulfil its mandate with regard to ERM. 




^ftuency 

32 

Understand and determine the risk appetite with guidance from the CRO 
and the RMC. 

Annually 

33 

Ensure that frameworks and methodologies are developed and 
implemented. 

Annually 

34 

Appoint adequate staff capacity to drive the ERM activity. 

As the need 
arises 

35 

Appoint a RMC with the necessary skills, competencies and attributes. 

As the need 
arises 

36 

Ensure that the control environment supports the effective functioning of 
ERM. 

Quarterly 

37 

Hold officials accountable for their specific risk management 
responsibilities. 

Ongoing 

38 

Devote personal attention to overseeing management of significant risks. 

Quarterly 

39 

Ensure appropriate action in respect of recommendations of the 

AC, Internal Audit, External Audit and RMC to improve ERM. 

Quarterly 

40 

Evaluate the value add of risk management. (NT financial management 
maturity capability model) 

Annually 

41 

Provide assurance to relevant stakeholders that key risks are properly 
identified, assessed and mitigated. 

Quarterly 

42 

Provide leadership and guidance. 

Ongoing 


3.2.2. Management 


All other levels of management, support the municipality’s risk management philosophy, promote 
compliance with the risk appetite and manage risks within their areas of responsibility. 

Management takes ownership for managing the municipality’s risks within their areas of responsibility 
and is accountable to the MM for designing, implementing, monitoring and integrating ERM into their 
day-to-day activities of the municipality. This should be done in a manner that ensures that risk 
management becomes a valuable strategic management tool. 
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Management must perform the following tasks, to fulfil its mandate with regard to ERM. 


tei 

Ref. 


SIBiisfil^ 

43 

Execute their responsibiiities as set out in the approved Risk 
Management Strategy. 

Daily 

44 

Report to the RMC regarding the performance of interna! controls for 
those risks in the operational risk registers. 

Quarterly 

45 

Devote personal attention to overseeing the management of key risks 
within their area of responsibility. 

Ongoing 

46 

Empower officials to perform effectively in their risk management 
responsibilities. 

Ongoing 

47 

Maintain a co-operative relationship with the CRO and Risk Champions. 

Ongoing 

48 

Maintain the proper functioning of the control environment within their 
area of responsibility. 

Ongoing 

49 

Hofd officials accountable for their specific risk management 
responsibilities. 

Ongoing 

50 

Continuously monitor the implementation of risk management within 
their area of responsibility. 

Ongoing 


3.2.3. Other Officials 

Other officials are responsible for integrating risk management into their day-to-day activities i.e. by 
ensuring conformance with controls and compliance to procedures. 


Other officials must perform the following tasks, to fulfil its mandate with regard to ERM. 


ESSS 


teim 

51 

Take the time to read and understand the content in the Risk 
Management Policy, but more importantly understanding their roles 
and responsibilities in the risk management process. 

Constantly 

52 

Apply the risk management process in their respective functions. 

Ongoing 

53 

inform their supervisors and/or the risk management unit (CRO) of new 
risks and significant changes. 

As the need 
arises 

54 

Co-operate with other role players in the risk management process. 

Ongoing 

55 

Provide information to role players in the risk management process as 
required. 

As the need 
arises 


3.3. Risk Management Support 
3.3.1. Chief Risk Officer 

The CRO is the custodian of the Risk Management Strategy and Implementation Plan and the 
coordinator of ERM activities throughout Cederberg Municipality. The primary responsibility of the 
CRO is to use his / her specialist expertise to assist the municipality to embed ERM and leverage its 


Page 7 of 10 











































benefits to enhance performance. The CRO plays a vital communication link between senior 
management, operational level management, the RMC and other relevant committees. 

The CRO must perform the following task, to fulfil its mandate with regard to ERM. 




UHcy 

56 

Assist the MM and senior management develop the municipality’s vision 
for risk management, (Philosophy) 

Annually 

57 

Develop, in consultation with management, the municipality’s risk 
management framework and methodologies. 

Annually 

58 

Research and develop the risk rating scales. 

Annually 

59 

Communicate the municipality’s risk management framework and 
methodologies to ail stakeholders. 

Annually 

Art 

ou 

Facilitate orientation and training for RMC. 

As the need 

arises 

61 

Train all stakeholders in their ERM responsibilities. 

Quarterly 

62 

Continuously drive ERM to higher levels of maturity. 

Ongoing 

63 

Coordinate and facilitate the assessments. 

Quarterly 

64 

Prepare ERM registers, reports and dashboards for submission to the 

RMC and other roles players. 

Quarterly 

65 

Coordinate the implementation of response strategies. 

Ongoing 

66 

Ensure that all IT, fraud, OHS risks are considered as part of the 
municipality’s ERM activities. 

Ongoing 

67 

Avail the approved risk registers to Internal Audit on request. 

As the need 
arises 

68 

Consolidate risk identified by the various Risk Champions. 


69 

Participate with Internal Audit, Management and AG in developing the 
combined assurance plan. 

Annually 


3.3.2. Risk Champions 

A Risk Champion would generally hold a senior position within the municipality and possess the skills, 
knowledge and leadership qualities required to champion a particular aspect of risk management. 

The Risk Champion assist the CRO facilitate the risk assessment process and manage risks within 
their area of responsibility to be within the risk appetite. Their primary responsibilities are advising on, 
formulating, overseeing and managing all aspects of a municipality’s entire risk profile, ensuring that 
major risks are identified and reported upwards. 
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Risk Champions must perform the foiiowing tasks, to fulfil its mandate with regard to ERM. 




Frequency 

70 

Facilitate operational risk workshops for their area of responsibility with 
the assistance of the CRO. 

Quarterly 

71 

Co-ordinate the implementation of action plans for the risk and report on 
any developments regarding the risk. 

Quarterly 

72 

Populate the risk registers/dashboard. 

Ongoing 

73 

Ensure that all risk information is updated regularly and submitted to the 
CRO. 

Ongoing 

74 

Provide assurance regarding the risk’s controls. 

Ongoing 


3.4. Risk Management Assurance Providers 
3.4.1. Internal Audit 

The core role of Internal Audit in risk management is to provide an independent, objective assurance 
to council and the Audit Committee on the effectiveness of risk management. Interna! Audit also 
assists in bringing about a systematic, disciplined approach to evaluate and improve the effectiveness 
of the entire system of risk management and provide recommendations for improvement where 
necessary. 


Internal Audit must perform the foliowing tasks, to fulfil its mandate with regard to ERM. 



.: 

Frequency 

75 

Provide assurance on the ERM process design and its effectiveness. 

Annually 

76 

Provide assurance on the management of “key risks” including, the 
effectiveness of the controls and other responses to the “key risks. 

Annually 

77 

Provide assurance on the assessment and reporting of risk and controls. 

Annually 

78 

Prepare a roiling three (3) year Internal Audit plan based on its 
assessment of key areas of risk. 

Annually 


3.4.2. External Audit 


External Audit (Auditor-General) provides and independent opinion on the effectiveness of ERM. 


External Audit must perform the following tasks, to fulfil its mandate with regard to ERM. 


m , 

Ref * 

Activity 

__ : 

Frequency, 

79 

Determine whether the risk management framework and methodologies 
are in place and appropriate. 

Annually 

80 

Assess the implementation of the risk management framework and 
methodologies. 

Annually 

81 

Review the risk identification process to determine if it is sufficient to 
facilitate the timely, correct and complete identification of significant risks. 

Annually 
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82 

Review the risk assessment process to determine if it is sufficient to 
facilitate timely and accurate risk rating and prioritisation. 

Annually 

83 

Determine whether management action plans to mitigate the key risks are 
appropriate and are being effectively implemented. 

Annually 


4. RISK MANAGEMENT IMPLEMENTATION 
4.1 Reporting Lines 

The structures through which risk management wili be reported within Cederberg Municipality are set 
out below. 



Illustration 1: Cederberg Municipality’s Risk Management Reporting Structure 
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